The information contained in a 27GB file was discovered by Australia-based internet security expert Troy Hunt earlier this week.
It contains their names, full identity numbers, income, gender, employment history, contact numbers and even home addresses.
South Africa’s population is about 54 million, so more than half of the country is affected by what has been described as the country’s worst leak of private data.
The country’s State Security Agency (SSA) would not be drawn into discussing the implications of such a breach and whether it could threaten security.
We are looking in to the matter. There is an investigation. We are obviously very concerned,” SSA spokesperson Brian Dube told the BBC.
“It’s important to us to get to the bottom of this, see how it came about and do whatever we have to do, to deal with it,” he said.
Local newspaper, The Times, is reporting that the breach has even reached senior politicians, including President Jacob Zuma, but this has not been confirmed.
What could go wrong?
There are many unknowns.
According to Mr Hunt, the file dates back to April 2015 but it is not clear how long the information was on the internet prior to his find.
The information could have been accessed by anyone from anywhere in the world if they knew what to look for.
Experts say this is the sort of data that companies would pay good money for.
Mr Hunt said on Twitter this week that the data breach “is one of the worst I’ve ever seen on many levels”.
The server of a property company called Jigsaw Holdings appears to be the source of the breach, this was traced through an IP address, according to local reports.
While Jigsaw has not been available for comment, it is not believed the cyber breach was a result of malice or negligence.
What happens now?
Some local newspapers have been calling for South Africans to use Mr Hunt’s website haveibeenpwned which works by checking one’s email address to see if their account has been compromised.
I took his advice. I’ve been using a private email address for years which I have always believed to be secure – but it turns out I’m in the 30 million.
It is not clear what happens now and perhaps that is the part that is most unnerving – do you wait until you are a target? Will you be a target? Do you warn your credit providers? Or simply do nothing?
So what’s the risk?
The publisher of Stuff Magazine, a technology magazine in South Africa, says in the wrong hands, the information could be used to impersonate people.
“All of this information could be used to open a bank account, a credit card account and they would use it knowing that someone will else have to pay for it when the bill comes,” Radio 702 quotes Toby Shapshak as saying.
He also speculated in the same interview that as many as 60 million people have had their personal data compromised, if you include the details of people who have died.
Time to panic?
South Africa’s banking institutions are said to be among the safest in the world, but they could be caught off-guard if the information was misused.
It is said to be the largest leak of the details of private citizens in the country’s history – and yet it seems to have gone largely undetected.
There is no outcry.
But Mr Shapshak says South Africans “should panic”.
“Yes the data may be five years old but our ID numbers stay the same, our employment history stays the same and these are the sort of things that make it possible to create fake identities. It is a serious problem and I’m not being paranoid.”
Experts say cyber crime is still not taken as seriously as conventional crime, even though it can be used to fund all sorts of illicit activities including terrorism. While the possibility of identity theft could open a whole new door for criminals here.
“It’s too early to say anything at this moment… There are a lot of reports going around, but we are concerned and looking into it,” said Mr Dube.
And so we wait – and hope that the right people are doing all the right things to protect the country’s citizens from those who live on the dark web.